We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / RBI System Audit (SAR)
Reserve Bank of India · India

RBI System Audit Report (SAR) & Data Localisation

Annual system audit and payment-data localisation assurance for payment system operators.

Introduction: RBI System Audit Report (SAR) & Data Localisation

The Reserve Bank of India (RBI) is the sovereign regulator of India's banking and payment-system landscape, and it has progressively raised the bar on the technology-risk posture of every regulated entity that touches money. The System Audit Report (SAR) regime and the accompanying data-localisation mandate sit at the centre of this expectation. In plain terms, if you operate a payment system, issue prepaid instruments, run a payment aggregator or gateway, provide payment-related services, or are a scheduled commercial bank, small finance bank, payments bank, urban co-operative bank, NBFC or a Non-bank Financial Company operating a payment system, then a periodic, independent System Audit is not optional — it is a licensing and continuance condition.

This guide is written for the person who actually has to sit in the audit chair — the CISO, the head of IT, the compliance lead, the internal auditor and the external empanelled auditor. It walks through what the SAR actually is, who must produce one, how it is structured, and — most importantly — a master assessment checklist that enumerates every control family the RBI expects an auditor to examine, together with the evidence a QSA-grade reviewer would demand. It also covers the closely bound obligation of storing payment-system data only within India (the Data Storage / Data Localisation directive of April 2018), because in practice the SAR must confirm compliance with it.

Two distinct but overlapping instruments drive this: (1) the RBI circular DPSS.CO.OD.No.2785/06.08.005/2017-2018 dated 6 April 2018 on 'Storage of Payment System Data', and (2) the requirement embedded across the Payment Aggregator / Payment Gateway (PA-PG) guidelines, the Master Directions on Prepaid Payment Instruments (PPIs), the RBI Master Direction on Digital Payment Security Controls (2021), and the general licensing conditions under the Payment and Settlement Systems Act, 2007 (PSS Act) for a periodic System Audit. The SAR is the deliverable through which an entity demonstrates conformance to all of them.

Copyright & source note
RBI circulars, Master Directions and the PSS Act are official Government of India / Reserve Bank of India publications. The control identifiers, dates and terminology referenced here are paraphrased for guidance only and must never be treated as a substitute for the authoritative text on the RBI website (rbi.org.in). Always audit against the latest version of the relevant circular, as RBI amends timelines and scope through addenda and FAQs. This CyberSigma guide contains original explanatory content and does not reproduce copyrighted RBI text.

What is the RBI System Audit (SAR)?

A System Audit is an independent, evidence-based examination of the information systems, technology infrastructure, information-security controls and operational processes of an RBI-regulated payment or financial entity, conducted by an external auditor who is empanelled with CERT-In (the Indian Computer Emergency Response Team) or is a qualified independent professional acceptable to RBI. The output of that examination is the System Audit Report — the SAR — a formal, signed document submitted to RBI (and retained for inspection) confirming whether the entity's systems are secure, resilient, compliant and, specifically for payment operators, whether payment-system data is stored only in India.

The SAR is not a one-off certification. For most payment operators it is an annual (or as-specified) recurring obligation. For a Payment Aggregator seeking authorisation, an initial SAR is a condition of the in-principle-to-final licence progression; thereafter an annual SAR must be submitted. The audit must be forward-looking — it covers the design and operating effectiveness of controls over the review period, not merely a point-in-time snapshot.

The SAR combines several audit disciplines: an IS (information systems) audit, an information-security / cyber-security review, a business-continuity and disaster-recovery assessment, an application-security review of payment applications, a data-localisation compliance verification, and — for PA/PGs — merchant-onboarding and settlement-control testing. The auditor issues an opinion, lists observations by risk severity, and confirms closure of prior-period findings.

How the SAR differs from a general IT audit

  • It is regulator-mandated and regulator-submitted — RBI is the audience, not just the board.
  • It carries statutory weight under the PSS Act, 2007; adverse findings can jeopardise the authorisation to operate a payment system.
  • It must be performed by a CERT-In empanelled auditor or an RBI-acceptable independent professional, not merely an internal team.
  • It has a mandatory data-localisation verification component that a generic ISO 27001 audit would not include.
  • Findings must be tracked to closure and re-verified in the next cycle; open high-risk items must be reported.

Who must comply

The obligation to obtain a System Audit and submit a SAR is triggered by the nature of the licence or authorisation held. The data-localisation directive of April 2018 applies to all 'system providers' and their participants, service providers, intermediaries, payment gateways, third-party vendors and other entities in the payment ecosystem. The table below summarises the principal categories.

Regulated entity typeSAR / audit obligationGoverning instrument
Payment Aggregators (PA) — onlineInitial SAR for authorisation + annual SAR thereafterPA-PG Guidelines (Mar 2020, as amended)
Payment Gateways (PG) — technology providersSystem audit as advised (baseline technology recommendations)PA-PG Guidelines
Prepaid Payment Instrument (PPI) issuersAnnual system audit; audit of escrow / floatMaster Direction on PPIs (2021)
Scheduled Commercial Banks & SFBsPeriodic IS audit + cyber-security framework auditCyber Security Framework circular (2016); Digital Payment Security Controls (2021)
Payments Banks & Urban Co-operative BanksIS audit per applicable tier / graded frameworkUCB Cyber Security Framework (graded)
NBFCs operating payment systems / large NBFCsIT audit per Master Direction on IT GovernanceMaster Direction on IT Governance, Risk, Controls & Assurance (2023)
Card networks / operators of authorised payment systemsSystem audit + data-localisation SARPSS Act, 2007; Data Storage circular (Apr 2018)
Third-party service providers / intermediaries handling payment dataCompliance verified within the principal's SARData Storage circular (Apr 2018)
White-label ATM operatorsSystem audit as per authorisation conditionsPSS Act authorisation conditions
  • Any entity that stores, processes or transmits payment-system data — even if outsourced — is in scope for the data-localisation verification.
  • Cross-border transaction data may be processed abroad but the data must be brought back and stored only in India, with any foreign copy deleted within a defined window (commonly cited as 24 hours from payment processing).
  • Fintechs partnering with a regulated entity are covered transitively; the regulated principal remains accountable.
  • Group entities and cloud / co-location providers used by the regulated entity fall within audit scope.

Structure of the RBI System Audit (SAR)

There is no single monolithic 'control catalogue' number range as in PCI DSS or NIST; instead, the SAR is structured around control domains drawn from the applicable RBI Master Directions and circulars. In practice a competent auditor organises the SAR into the domains below. This structure aligns the SAR with the RBI Master Direction on Digital Payment Security Controls (2021) and the PA-PG baseline technology recommendations, which are the most detailed control sources.

Domain codeDomain / control familyPrimary sourceIllustrative control count
D1Governance, Risk & Board OversightIT Governance MD (2023); DPSC (2021)10-14
D2Information Security Policy & StandardsDPSC (2021); Cyber Security Framework8-12
D3Network Security & SegmentationDPSC (2021)10-15
D4Application Security (payment apps)DPSC (2021); PA-PG baseline12-18
D5Authentication & Access ControlDPSC (2021)10-14
D6Cryptography & Key ManagementDPSC (2021); Data Storage circular8-10
D7Data Localisation & Data GovernanceData Storage circular (Apr 2018)8-12
D8Fraud Risk Management & Transaction MonitoringDPSC (2021); PA-PG8-12
D9Merchant Onboarding & KYC (PA/PG only)PA-PG Guidelines10-14
D10Settlement, Escrow & Nodal Account ControlsPA-PG; PPI MD8-12
D11Vendor / Outsourcing & Third-party RiskOutsourcing guidelines; DPSC8-10
D12Incident Response & Reporting to RBI/CERT-InCERT-In directions (2022); DPSC8-10
D13Business Continuity & Disaster RecoveryBCP guidelines; DPSC8-10
D14Logging, Monitoring & Audit TrailsDPSC (2021); CERT-In (2022)8-12
D15Change & Patch ManagementDPSC (2021)6-10
D16Vulnerability Management & Penetration TestingDPSC (2021); PA-PG6-10

Master assessment checklist

This is the operational heart of the SAR. Below, each domain is expanded into what the auditor must verify and the typical evidence a CERT-In empanelled auditor or PCI QSA would collect. Nothing here should be skipped; where a domain is not applicable (for example, merchant onboarding for a non-PA entity), the auditor must formally record it as 'not applicable with justification' rather than omit it.

D1 — Governance, Risk & Board Oversight

What to verifyTypical evidence
Board-approved IT/IS and cyber-security strategy exists and is reviewed periodicallyBoard/IT Strategy Committee minutes; approved policy with version dates
A designated CISO independent of the IT development function is appointedAppointment letter; organisation chart; reporting line to risk/board
IT Steering / Risk Committee meets at defined cadence with quorumCommittee charter; meeting minutes; attendance registers
Technology risk register is maintained with owners and treatment plansRisk register; risk-acceptance sign-offs; remediation trackers
Roles, responsibilities and segregation of duties are documentedRACI matrix; SoD matrix; access-grant approvals
Prior SAR observations are tracked to closurePrior SAR; closure tracker; evidence of remediation

D2 — Information Security Policy & Standards

What to verifyTypical evidence
A comprehensive, board-approved information-security policy is in forceSigned policy; approval record; review history
Standards and procedures cascade from policy (hardening, acceptable use, data classification)Standard operating procedures; hardening baselines; classification schema
Policy exceptions are formally approved and time-boundException register; risk sign-off; expiry tracking
Staff acknowledge policies and undergo security awareness trainingAcknowledgement logs; training completion records; phishing-simulation results
Policies are reviewed at least annually or on material changeVersion control log; review minutes

D3 — Network Security & Segmentation

What to verifyTypical evidence
Network is segmented; the cardholder/payment environment is isolated from corporate and internet zonesNetwork diagrams; VLAN/firewall zone config; segmentation test results
Firewall and router rule-sets follow least-privilege and are reviewed periodicallyFirewall rule export; rule-review sign-offs; change tickets
Ingress/egress controls, DMZ and secure gateways are in placeArchitecture diagram; proxy/gateway config
Wireless networks are secured and separated from the payment environmentWLAN config; encryption settings; rogue-AP scan results
DDoS protection and perimeter defences are deployedWAF/DDoS service config; test evidence
Remote access uses secured, MFA-protected VPN with loggingVPN config; MFA enrolment; access logs

D4 — Application Security (payment applications)

What to verifyTypical evidence
Secure SDLC is followed with security requirements and code reviewSDLC policy; code-review records; security gate sign-offs
Applications defend against OWASP Top 10 and payment-specific abuseSAST/DAST reports; remediation evidence
Input validation, output encoding and session management are enforcedDesign docs; test cases; scan results
Sensitive data is never exposed in URLs, logs or error messagesLog samples; code review; error-handling review
Mobile / API endpoints are hardened (rate limiting, tokenisation, cert pinning)API gateway config; mobile app test report
Application changes go through security testing before productionRelease checklist; pre-prod pentest evidence

D5 — Authentication & Access Control

What to verifyTypical evidence
Multi-factor authentication for administrative, remote and privileged accessMFA policy; enrolment reports; login logs
Role-based access with least privilege and periodic recertificationRBAC matrix; access-review reports; revocation records
Privileged access is managed through a PAM solution with session recordingPAM config; session recordings; vaulting evidence
Joiner-mover-leaver process removes access promptly on exitHR-IT deprovisioning tickets; timing evidence
Customer authentication uses risk-based / additional-factor mechanismsAFA design; OTP/step-up config; transaction logs
Default and shared credentials are eliminatedConfig review; account inventory

D6 — Cryptography & Key Management

What to verifyTypical evidence
Data in transit is protected with strong TLS (weak protocols/ciphers disabled)TLS scan (e.g. testssl); config export
Data at rest — especially card and PII — is encrypted or tokenisedEncryption config; tokenisation vault evidence; DB config
Card data storage complies with PCI DSS and RBI tokenisation mandatesPCI AoC/RoC; tokenisation implementation evidence
Cryptographic keys are managed in HSM/KMS with rotation and dual controlHSM/KMS logs; key-ceremony records; rotation schedule
No storage of full card data / CVV where prohibitedData-discovery scan; DB schema review

D7 — Data Localisation & Data Governance

What to verifyTypical evidence
All payment-system data is stored only in a system located in IndiaData-flow diagrams; server/DC location certificates; hosting contracts
Full end-to-end transaction details are within India (payment instruction, credentials, transaction and settlement data)Data-element mapping; storage-location attestation
Foreign-leg processing (if any) has data brought back and foreign copy deleted within the stipulated windowDeletion logs; data-purge evidence; timestamps
No unauthorised replication, backup or DR site of payment data outside IndiaDR/backup location evidence; cloud-region config
Data classification and retention policy governs payment dataClassification schema; retention/disposal records
Third parties and cloud providers contractually enforce India-only storageContracts; DPAs; audit-right clauses

D8 — Fraud Risk Management & Transaction Monitoring

What to verifyTypical evidence
Real-time / near-real-time transaction monitoring and velocity checks operateFraud-engine config; rule library; alert logs
Fraud risk management framework is board-approved and reviewedFRM policy; committee minutes
Customer alerts and cooling-off / transaction-limit controls existAlert templates; limit configuration
Suspicious transactions are investigated and escalatedCase-management records; SAR/STR filings where applicable
Chargeback and dispute handling processes are definedDispute SOP; MIS reports

D9 — Merchant Onboarding & KYC (Payment Aggregators / Gateways)

What to verifyTypical evidence
Merchant onboarding follows a board-approved policy with due diligenceOnboarding policy; KYC checklists
KYC / CDD is performed on merchants per RBI KYC Master DirectionKYC records; verification evidence; risk categorisation
Prohibited / high-risk merchant categories are screened outNegative-list; MCC controls; screening logs
Merchant website/app checks for compliance and security are performedSite-review checklist; security-scan of merchant integration
Ongoing monitoring of merchant activity and transaction patternsMonitoring MIS; anomaly alerts
Merchant agreements bind data-security and localisation obligationsExecuted agreements; clause review

D10 — Settlement, Escrow & Nodal Account Controls

What to verifyTypical evidence
Collections flow through an escrow / nodal account with a scheduled commercial bankEscrow account statements; bank confirmation
No commingling of merchant funds with the PA's own fundsLedger reconciliation; segregation evidence
Settlement to merchants happens within regulatory timelines (Tp+1 etc.)Settlement reports; timing analysis
Debits/credits to escrow are only for permitted purposesTransaction logs; permitted-debit review
Daily reconciliation of escrow balance against outstanding obligationsReconciliation statements; break resolution
Core-portion / float balances maintained as requiredBalance certificates; auditor confirmation

D11 — Vendor / Outsourcing & Third-party Risk

What to verifyTypical evidence
Outsourcing policy aligns with RBI outsourcing guidelinesOutsourcing policy; board approval
Due diligence and risk assessment performed before onboarding vendorsVendor risk assessments; due-diligence reports
Contracts include audit rights, RBI inspection rights, SLAs and exit clausesExecuted contracts; clause matrix
Vendor access to systems/data is controlled and loggedAccess records; monitoring logs
Fourth-party / sub-contracting risk is assessed and approvedSub-contract disclosures; approvals

D12 — Incident Response & Reporting to RBI / CERT-In

What to verifyTypical evidence
A documented, tested incident-response plan existsIR plan; tabletop/drill records
Security incidents are reported to CERT-In within 6 hours (2022 directions)Incident register; CERT-In submission acknowledgements
Material incidents / breaches are reported to RBI within stipulated timeRBI incident reports; timing evidence
Roles, escalation matrix and communication plan are definedEscalation matrix; contact lists
Root-cause analysis and lessons-learned drive improvementRCA reports; corrective-action tracking

D13 — Business Continuity & Disaster Recovery

What to verifyTypical evidence
BCP and DR plans exist with defined RTO/RPO for payment systemsBCP/DR documents; RTO/RPO definitions
DR site is within India and periodically testedDR test reports; DR location evidence
Business impact analysis underpins recovery prioritiesBIA document; criticality ratings
Backups are taken, encrypted and restoration-testedBackup logs; restore-test evidence
Near-zero / high-availability architecture for critical payment flowsArchitecture diagrams; uptime SLA reports

D14 — Logging, Monitoring & Audit Trails

What to verifyTypical evidence
Comprehensive audit trails capture user, admin and system activityLog configuration; sample log extracts
Logs are time-synchronised (NTP), tamper-protected and centralised (SIEM)NTP config; SIEM ingestion evidence; integrity controls
Logs are retained per regulatory requirement (commonly 180 days rolling as per CERT-In)Retention policy; storage evidence
Security monitoring / SOC provides alerting and correlationSOC runbooks; alert samples; use-case list
Privileged and payment-transaction events are specifically monitoredMonitoring use-cases; alert logs

D15 — Change & Patch Management

What to verifyTypical evidence
Formal change-management process with approvals and rollbackChange tickets; CAB minutes; rollback plans
Security patches applied within defined SLA by criticalityPatch reports; SLA tracking; exception log
Emergency changes follow a controlled, documented pathEmergency-change records; post-implementation review
Segregation between development, test and production environmentsEnvironment inventory; access separation evidence

D16 — Vulnerability Management & Penetration Testing

What to verifyTypical evidence
Regular vulnerability assessment of infrastructure and applicationsVA scan reports; scan schedule
Independent penetration testing performed at least annually and after major changeVAPT reports by qualified testers; scope documents
Findings are risk-rated and remediated within SLA, with re-testingRemediation tracker; re-test evidence
ASV / external scans for internet-facing payment assetsExternal scan reports; clean-scan attestations

Scoping

Accurate scoping determines the credibility of the SAR. The auditor must first establish the payment-data footprint: every system, application, database, network segment, interface, API, cloud tenancy and third party that stores, processes or transmits payment-system data. Under-scoping is the single most common reason RBI rejects a SAR or issues an adverse continuance direction.

  • Define the in-scope environment by following the data: trace the full transaction lifecycle from customer initiation to settlement and archival.
  • Include all supporting systems — authentication, key management, logging, monitoring, backup and DR — even if they do not process transactions directly.
  • Include outsourced components: cloud hosting, managed SOC, payment-processor connections and merchant-integration layers.
  • Explicitly document out-of-scope systems with the justification for exclusion (e.g. segmentation that isolates them).
  • For data localisation, scope must cover every copy of payment data including backups, DR, analytics stores, logs and reporting systems.
  • State the review period covered by the SAR (typically the preceding 12 months for an annual audit).
Scoping tip
Segmentation reduces scope only if it is proven. If you claim a corporate zone is out of scope, the auditor must validate the isolation with segmentation testing. Unproven segmentation collapses the boundary and pulls the excluded systems back in.

Implementation approach (phased)

Entities that treat the SAR as a last-minute compliance scramble invariably fail. A phased programme, ideally spanning three to four months before the submission deadline, produces a defensible report and, more importantly, genuinely secure systems.

Phase 1 — Initiation & Scoping (Weeks 1-2)

  • Activities: appoint a CERT-In empanelled auditor; agree scope, review period and methodology; hold kick-off; collect prior SAR and closure status; build the data-flow and asset inventory.
  • Deliverables: signed engagement letter; agreed scope document; audit plan; data-flow diagrams; asset register.

Phase 2 — Control Design Review (Weeks 3-5)

  • Activities: review policies, standards, architecture and process documents against each domain; identify design gaps; map controls to RBI Master Directions.
  • Deliverables: control-design assessment; preliminary gap list; requests-for-information tracker.

Phase 3 — Control Operating-Effectiveness Testing (Weeks 6-10)

  • Activities: sample-based testing of evidence, log reviews, configuration reviews, VAPT, segmentation testing, data-localisation verification, escrow reconciliation checks.
  • Deliverables: test working papers; VAPT report; data-localisation verification memo; provisional findings.

Phase 4 — Remediation & Re-test (Weeks 10-13)

  • Activities: management remediates high-risk findings; auditor re-tests; residual risk assessed; closure of prior-period items confirmed.
  • Deliverables: remediation evidence; re-test results; updated findings register.

Phase 4b — Reporting & Submission (Weeks 13-14)

  • Activities: draft SAR with opinion and risk-rated observations; management responses obtained; auditor sign-off; board / audit-committee review; submission to RBI.
  • Deliverables: signed System Audit Report; management action plan; RBI submission acknowledgement.

Maturity / capability scoring model

While RBI does not prescribe a formal maturity scale, a capability-maturity model is invaluable for tracking progress cycle-on-cycle and prioritising remediation. CyberSigma applies the following five-level model, aligned to CMMI-style thinking, to each control domain.

LevelNameDescriptionTypical SAR outcome
1Initial / Ad-hocControls absent or informal; reliance on individualsMajor non-conformity; likely adverse SAR
2DevelopingSome controls documented but inconsistently appliedMultiple high-risk observations
3DefinedControls documented, approved and consistently followedBaseline acceptable; medium observations
4ManagedControls measured, monitored and reviewed with metricsClean SAR with minor observations
5OptimisingContinuous improvement, automation and threat-informed tuningExemplary SAR; leading practice

A target maturity of Level 3 (Defined) is the minimum for a clean SAR; regulated entities of systemic importance should aim for Level 4 across the payment-critical domains (D3-D7, D10, D12-D14).

Assessment and audit approach

  1. Confirm the auditor's independence and CERT-In empanelment (or RBI-acceptable status) and document the engagement scope and review period.
  2. Obtain and study the prior SAR, closure tracker, and any RBI correspondence or inspection findings.
  3. Build a complete asset and data-flow inventory; validate the boundary and, where claimed, test segmentation.
  4. Perform control-design review against each of the sixteen domains, mapping to the relevant RBI Master Direction or circular.
  5. Perform operating-effectiveness testing on a risk-based sample: configuration reviews, log analysis, VAPT, escrow reconciliation and data-localisation verification.
  6. Specifically verify data localisation: trace every payment-data element, confirm India-only storage, and validate deletion of any permitted foreign copy within the stipulated window.
  7. Risk-rate each observation (Critical / High / Medium / Low) with impact and likelihood rationale.
  8. Present provisional findings to management; obtain responses and remediation commitments; re-test remediated high-risk items.
  9. Draft the SAR with an overall opinion, domain-level conclusions, the findings register and management action plan.
  10. Obtain auditor sign-off, board / audit-committee review, and submit the signed SAR to RBI within the prescribed timeline, retaining working papers for inspection.

Evidence request list

The following categorised list is what an auditor will request. Assembling it in advance dramatically accelerates the engagement.

  • Governance: board/committee minutes, IT & security strategy, CISO appointment, risk register, org charts, SoD matrix.
  • Policies & standards: information-security policy, hardening baselines, data-classification schema, acceptable-use policy, exception register.
  • Network: architecture and data-flow diagrams, firewall rule exports, segmentation test results, VPN and wireless configs.
  • Application: SDLC policy, code-review records, SAST/DAST reports, API and mobile security test results, release checklists.
  • Access & authentication: RBAC/PAM configs, access-review reports, MFA enrolment, joiner-mover-leaver tickets.
  • Cryptography: TLS scan output, encryption/tokenisation configs, HSM/KMS logs, PCI DSS AoC/RoC.
  • Data localisation: hosting/DC location certificates, data-element mapping, foreign-copy deletion logs, cloud-region configs, third-party contracts.
  • Fraud & monitoring: FRM policy, fraud-engine rules, alert logs, dispute/chargeback MIS.
  • Merchant & settlement (PA/PG): onboarding policy, KYC records, escrow statements, settlement reports, reconciliations.
  • Vendor: outsourcing policy, vendor risk assessments, contracts with audit/RBI-inspection clauses.
  • Incident & continuity: IR plan, CERT-In/RBI incident submissions, BCP/DR plans, DR test reports, backup and restore logs.
  • Logging & monitoring: SIEM configuration, retention policy, sample logs, SOC runbooks and alert samples.
  • Change & vulnerability: change tickets, patch reports, VA/VAPT reports and remediation/re-test evidence.

Roles and responsibilities

RoleResponsibility in the SAR process
Board / IT Strategy CommitteeApproves policies and the audit; reviews SAR findings; owns overall accountability
CISOOwns the security control environment; coordinates remediation; primary auditee contact
Head of IT / TechnologyProvides infrastructure and application evidence; implements technical remediation
Compliance OfficerEnsures regulatory alignment and timely RBI submission; tracks closures
Internal AuditSupports readiness assessment; validates management assertions pre-audit
Escrow / Finance controller (PA/PG)Provides settlement and escrow reconciliation evidence
External CERT-In empanelled auditorPerforms independent assessment; issues the signed SAR opinion
Vendors / cloud providersFurnish location attestations, configs and audit-right cooperation
Data Protection / Privacy leadConfirms data localisation, classification and retention compliance

KPIs to track

  • Percentage of prior-period SAR observations closed before the next cycle.
  • Number of open Critical/High findings and mean time to remediate.
  • Patch SLA adherence rate by criticality.
  • VAPT findings trend (open vs closed) cycle-on-cycle.
  • Percentage of payment data verified as India-only storage (target 100%).
  • Foreign-copy deletion compliance rate within the stipulated window.
  • MFA and PAM coverage of privileged accounts.
  • Escrow reconciliation break count and resolution time (PA/PG).
  • Incident reporting timeliness to CERT-In (within 6 hours) and RBI.
  • DR test success rate against RTO/RPO targets.
  • Security awareness training completion and phishing-simulation failure rate.
  • Maturity score by domain versus target (Level 3/4).

Readiness checklist

  • CERT-In empanelled auditor engaged and scope agreed
  • Prior SAR observations closed and evidenced
  • Complete asset and payment-data-flow inventory prepared
  • Segmentation between payment and corporate zones proven
  • All payment-system data confirmed stored only in India
  • Foreign-copy deletion within stipulated window evidenced
  • Board-approved security and fraud-risk policies in force
  • MFA and PAM deployed for privileged and remote access
  • Card data tokenised / PCI DSS compliance evidenced
  • Latest VAPT completed and high-risk findings remediated
  • Escrow / nodal account reconciled and within timelines (PA/PG)
  • Merchant KYC and onboarding records complete (PA/PG)
  • Incident-response plan tested and CERT-In reporting path ready
  • BCP/DR plan tested with DR site inside India
  • SIEM logging with required retention and monitoring operational
  • Vendor contracts include RBI inspection and audit rights
  • Management action plan drafted for residual findings

Common gaps

  • Payment data replicated to a foreign DR/backup or analytics store, breaching data localisation.
  • Foreign-leg processing where the returned data is not deleted within the stipulated window (no deletion logs).
  • Unproven segmentation claims that improperly narrow scope.
  • Prior SAR observations left open across cycles without closure evidence.
  • Weak or absent MFA on administrative and remote access.
  • Full card data / CVV storage or absence of RBI-mandated tokenisation.
  • Escrow commingling or settlement delays beyond regulatory timelines (PA/PG).
  • Inadequate merchant KYC and onboarding of prohibited merchant categories.
  • Incident-reporting timelines to CERT-In (6 hours) not met or not evidenced.
  • Insufficient log retention (below the CERT-In requirement) or non-time-synchronised logs.
  • Vendor contracts lacking RBI inspection / audit-right and exit clauses.
  • VAPT findings not remediated or not re-tested before the SAR.

RBI System Audit (SAR) mapped to other frameworks

RBI SAR domainPCI DSS v4.0ISO/IEC 27001:2022NIST CSF 2.0
Governance & Board OversightReq 12A.5 Organisational controlsGV (Govern)
Information Security PolicyReq 12A.5.1 PoliciesGV.PO
Network Security & SegmentationReq 1, 11.4A.8.20-8.22PR.AA / PR.IR
Application SecurityReq 6A.8.25-8.29PR.PS
Authentication & Access ControlReq 7, 8A.8.2-8.5PR.AA
Cryptography & Key ManagementReq 3, 4A.8.24PR.DS
Data Localisation & Governance(not covered)A.5.34 / A.8.10-8.12GV.PO / PR.DS
Fraud & Transaction MonitoringReq 10, 11A.8.16DE.CM
Incident ResponseReq 12.10A.5.24-5.28RS (Respond)
Business Continuity & DR(supports Req 12)A.5.29-5.30 / A.8.13-8.14RC (Recover)
Logging & MonitoringReq 10A.8.15-8.16DE.CM / DE.AE
Vulnerability Management & VAPTReq 6, 11A.8.8ID.RA / PR.PS
How CyberSigma helps
CyberSigma is a CERT-In empanelled security auditor and PCI QSA firm that runs end-to-end RBI System Audit (SAR) and data-localisation engagements — from scoping and gap assessment through VAPT, escrow-control testing and India-only data verification, to the signed SAR submitted to RBI. We help payment aggregators, PPI issuers, banks and NBFCs close findings, uplift domain maturity to Level 3/4, and stay continuously audit-ready. Talk to our RBI compliance team to plan your next SAR cycle with confidence.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Who can perform the RBI System Audit (SAR)?
A CERT-In empanelled auditor must perform the System Audit and issue the SAR. CyberSigma is CERT-In empanelled.
What is payment data localisation?
RBI requires the entire payment data of transactions processed in India to be stored only in India; the SAR independently confirms this.

Need help with RBI System Audit (SAR)?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.